Tag Archives: OPNsense

OPNsense Initial Configuration

In my previous posts, I have set up an OPNsense firewall on my MSI Cubi N minicomputer. Now it’s time to actually start using the firewall.

Login to OPNsense

When starting up my Cubi N, it starts up OPNsense with an web interface. After wiring up, I can start with the initial configuration.

Open Browser
Connect to http://192.168.1.1
Login as root
Passwort as initialy set
Now, I can see the Dashboard

DHCP server

OPNsense comes with build in DHCP servers. By default it runs the ISC DHCPv4 server. According to the documentation, the new DHCP server is Kea DHCP while the ISC DHCP server is becoming legacy. Thus, I want to use the new stuff and choose Kea DHCP.

Disable ISC DHCPv4

Open Services → ISC DHCPv4 → [LAN]
Uncheck “Enable DHCP server on the LAN interface”
Click the Save button

Configure Kea DHCP

Open Services → Kea DHCP [new] → Kea DHCP

Settings

Select the Settings tab
Check “Enabled“
Set the Interfaces to LAN
Click the Apply button

Subnets

Select the Subnet tab
Click the + Button to create a new Subnet
- Subnet: 192.168.1.0/24
  - This is the setting to achieve the same configuration as with ISC DHCP server
  - You might choose a different subnet, as I did…
- Pools: 192.168.1.100 - 192.168.1.199
  - This is the setting to achieve the same configuration as with ISC DHCP server
- Activate “Auto collect option data”
  - This is actually the default setting
  - Click the Save button to confirm and store the subnet
Click the Apply button

Reservations

I did no changes here for the initial configuration.

HA Peers

I did no changes here for the initial configuration.

Note

If you change the IP ranges and subnets of the DHCP server, you also need to adjust the IP of the LAN interface of the firewall itself (see below)

Interface IP

Since I changed the IP range for the DHCP server, I need to change the IP address of the LAN interface as well.

Open Interfaces → [LAN]
Go to the “Static IPv4 configuration” section
Edit IPv4 address
(original value: 192.168.1.1)
Set the subnet mask
(dropdown next to IP address. original value: 24)
Click the Save button at the bottom
Click the Apply Changes in the header

Now, I have to change the IP address of my client computer/set the IP assignment to DHCP again. After 2-3 trials and rebooting my client PC, I can connect to the OPNsense firewall on my Cubi N again. 🥳

References

https://docs.opnsense.org/manual/dhcp.html#kea-dhcpv4

OPNsense Firewall on MSI Cubi N

Leave a reply

I want to set up an OPNsense firewall on my MSI Cubi N microcomputer. So far, I have created a bootable USB stick with the OPNsense installer (OPNsense 24.7 VGA amd64) in my first post. I configured the MSI Cubi N to boot from the USB stick in my in my second post. Now it’s time to actually install OPNsense on the Cubi N.

Boot the MSI Cubi N with the OPNsense installer

Create a bootable USB stick with the OPNsense installer (see this post)
Connect a monitor and a keyboard to the Cubi N
Insert the USB installer stick into an USB port of the Cubi N
Configure the Cubi N to start from the USB stick (see previous post)
Start up the Cubi N with the power button
As soon as OPNsense logo shows up, press the Space key to set the boot options
- If the OPNsense installer continues before you can hold it, you need to restart the Cubi N again.
Set the boot options (press the 7 key):
- Verbose: on (click the 6 key)
- Return to the main menu by clicking the Backspace key
Press the Esc key to exit the menu
- A command prompt starting with OK is shown
Set the boot parameter:
- This is required to because my Cubi N halts when booting up the OPNsense installer (see References).
- Enter the command and press the Enter key – note the US keybord layout and that there is no space in the command except between set and the variable…)
  - set hint.uart.1.disabled=”1″
Now boot the OPNsense installer on the Cubi N:
- Enter the command and press the Enter key
  - boot
The Cubi N boots with the OPNsense installer and finally shows a login prompt 🥳

Install OPNsense on the Cubi N

Login
- User: installer
- Password: opnsense
Keymap Selection
- Swiss-German
- move to the top menu: >> Continue with ch.kbd keymap
Task
- Choose the Install (ZFS) option (ZFS GP/UEFI Hybrid)
  - The ZFS file system is in most cases the best option as it is the most reliable option, but it does require enough capacity (a couple of gigabytes at least)
ZFS Configuration
- Select the stripe option for the virtual device type.
  - The default option (stripe) is usually acceptable when using a single disk.
- Select the disk nda0 Phision 128 GB by pressing the space key
  - This is actually the single disk in the Cubi N
- Last Chance: confirm with selecting Yes and pressing Enter
Installation progress
- Wait and hang on tight…
Final Configuration
- Set the Root Password
  - Define the root password and enter it twice
- Complete Install
  - Select and press Enter to reboot
My Cubi N reboots from the USB stick… So I shut it down again and remove the USB stick

Start OPNsense on the Cubi N

When trying to start OPNsense on the Cubi N from the internal disk, the boot process hangs after the OPNsense logo at the same position as during the install…

Remove the USB stick
Press the power button
The Cubi N starts OPNsense and shows the boot logo
OPNsense hangs with the lines:
ns8250: UART FCR is broken ns8250: UART FCR is broken uart0: <16550 or compatible> at port 0x3f8 irq 4 flags 0x10 on isa0
- Well, I had that issue before🤔
- I’ll need to persist that setting that I manually changed in the boot loader…
Turn off the Cubi N with the power button
Start the Cubi N again with the power button
As soon as OPNsense logo shows up, press the Space key to set the boot options
- Set the verbose mode as described above
- Exit with Esc to the loader prompt
Set the boot parameter:
- This is required to because my Cubi N halts when booting up the OPNsense installer (see References).
- Enter the command and press the Enter key – note the US keybord layout and that there is no space in the command except between set and the variable…)
  - set hint.uart.1.disabled=”1″
Now boot OPNsense
- Enter the command and press the Enter key
  - boot
OPNsense is booting up
Login
- root
- my secret password 🤐
The console now shows some options:

0)  Logout                        7)  Ping host1)  Assign interfaces             8)  Shell2)  Set interface(s) IP address   9)  pfTop3)  Reset the root password      10)  Filter logs4)  Reset to factory defaults    11)  Restart web interface5)  Reboot system                12)  Upgrade from console6)  Halt system                  13)  Restore a configuration

Press the 8 key and Enter to enter the shell with a command prompt
Edit the /boot/device.hints file with vi:
- enter the boot directory in the root folder with the cd command
- cp device.hints device.hints_original_backup
- vi device.hints

Editing files in vi is a nightmare. Best check first one of the links below…
By pressing the d and a key, one can delete and append characters from the cursor position, respectively.
I replaced the hint.uart.0 and hint.uart.1 entries with theses lines:
hint.uart.0.disabled=”1″
hint.uart.1.disabled=”1″
Write the file with this command (the file is write protected, thus the “!”):
:w!
Exit vi with
:q!
I left the shell command prompt, probably by typing exit…
This brought me back to the OPNsense menu with the 13 options (see above)
I used the reboot option (#5)
Now the Cubi N starts successfully OPNsense without any issues and finally shows the login prompt!
🥳🥳🥳

Note

I tried to reset the BIOS settings, to the default values as described in my first post. However, the Cubi N didn’t boot up anymore with these settings. So, I restored my changed settings from my post about booting the MSI Cubi N from the USB stick.

References

OPNsense

https://opnsense.org
Installer: https://opnsense.org/download/

MSI Cubi N

OPNsense boot up issue

https://www.youtube.com/watch?v=mi8Q_S8DiHc
(actually a different issue, but shows how to set parameters for booting)
https://forums.freebsd.org/threads/install-boot-hangs-on-uart0.90929/
https://forums.freebsd.org/threads/boot-hangs-on-cherrytrail-uefi-system-installer-preinstalled-stick-no-dmesg-written.57321/
https://forum.opnsense.org/index.php?topic=18027.0

OPNsense installation

https://docs.opnsense.org/manual/install.html#initial-configuration

vi

Boot the MSI Cubi N from a USB Stick

Leave a reply

I want to set up an OPNsense firewall on my MSI Cubi N microcomputer. In my previous post, I have described to create the bootable USB stick for installation. Now it’s time to boot the MSI Cubi N from this USB stick.

My MSI Cubi N comes with Windows preinstalled on it. And I cannot enter the BIOS by pressing the Delete or F2 button upon startup.

Insert the USB key

It is easiest to insert the USB key with the installation media before starting the Cubi N and changing the BIOS settings. This way, the USB key is detected and shown in the Boot menu.

Enter the BIOS

Switch off the Cubi N by holding down the power button until it is off.
Start the Cubi N by pressing the power button and holding it down for about 3 seconds. Don’t let go the power button until you see the BIOS screen.
The MSI Click BIOS screen opens

Note

It’s sometime a fiddling around with actually starting the Cubi N and switching it off again when trying to get into the BIOS.

BIOS changes

Now it’s time to make some changes in the BIOS. We need to set the Boot order and adjust some Security settings.

Boot

Navigate to the Boot tab
Disable the Fast Boot
Change the Boot Order by editing the first entry #1
(all entries have an UEFI Prefix in BIOS). Change from:
- #1: CD-DVD
- #2: Hard Disk: Windows Boot Manager (Phision 128GB E)
- #3: USB Floppy
- #4: USB CD-DVD
- #5: USB Hard Disk
- #6: USB Key: UEFI: KingstonDataTraveler 2.0PMAP, Partition 1
- #7: Network
to the new Boot Order:
- #1: USB Key UEFI: KingstonDataTraveler 2.0PMAP, Partition 1
- #2: Hard Disk: Windows Boot Manager (Phision 128GB E)
- #3: USB Floppy
- #4: USB CD-DVD
- #5: USB Hard Disk
- #6: CD-DVD
- #7: Network

Note

The correct boot device depends on the image written to the USB key.

Security

When trying to boot from the USB Key, an error might be shown:

Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup.

Searching the internet, I found that I need to disable the Secure Boot option.

Navigate to the Security tab
Enter the Secure Boot entry
Disable the Secure Boot option

Save & Exit

To exit from the BIOS with the changed settings:

Navigate to the with the Save & Exit tab
Choose the Save Changes and Reboot option
Confirm
The Cubi N reboots and starts from the inserted USB Key. 🥳

Reset the BIOS settings

After installation, I probably should reset the changed BIOS settings:

Enter the Save & Exit tab of the BIOS
Choose the Restore Defaults option
Confirm the changes
Choose the Save Changes and Reboot option.

Note

It turned out that the Cubi N didn’t boot up anymore if I restored to the initial factory settings. Thus, I restored my changed settings again.

Conclusion

To install the OPNsense Firewall on my Cubi N, I need to enter the BIOS with the power button, change the Boot Order and disable Fast Boot as well as Secure Boot.

It is now time to install the OPNsense Firewall 😀

References

MSI Cubi N

Write an ISO image file to USB stick from macOS

Leave a reply

I want to set up an OPNsense firewall on my MSI Cubi N microcomputer. First of all, I need a bootable USB stick. Since I use a non-privileged user on my MacBook, things get a bit more complicated…

Download the Installer: https://opnsense.org/download/
File: OPNsense-24.7-vga-amd64.img.bz2
Now, let’s open the terminal and continue there. Determine the SHA256 checksum and compare it with the checksum provided on the download page:

shasum -a 256 OPNsense-24.7-vga-amd64.img.bz2

Copy the ISO image file to the admin user that has more access rights:

cp OPNsense-24.7-vga-amd64.img.bz2 /Users/admin/Public/Drop\ Box/

Login as the admin user:

su admin

Move to the drop box directory of the admin user. WordPress or my server doesn’t allow me to enter the command with path here…

Unpack the image:

bunzip2 OPNsense-24.7-vga-amd64.img.bz2

Insert the USB stick and determine its path by running the mount command:

mount

The output of the mount command shows, that the USB stick is assigned on my system to /dev/disk2

/dev/disk2 (external, physical):
...

And here is an alternative method to determine the mounting:

diskutil list

diskutil unmountDisk /dev/disk2

diskutil list

Write the image to the USB stick. Note that the path of the USB stick determined previously is changed: /dev/disk2 → /dev/rdisk2

sudo dd if=OPNsense-24.7-vga-amd64.img of=/dev/rdisk2 bs=64k

And the output is:

39955+1 records in
39955+1 records out
2618501632 bytes transferred in 512.309291 secs (5111173 bytes/sec)

Eject the USB stick and use it to set up the OPNsense firewall.